Snapchat
External Program
Submit bugs directly to this organization
Snapchat
At Snapchat, we are looking forward to fostering new relationships with the security community as part of our bug bounty program (“Bug Bounty Program”). Our security team reviews all vulnerability reports and acts upon them in accordance with responsible disclosure. Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Bug Bounty Terms”). By submitting a vulnerability report to Snap you acknowledge that you have read and agree to these Bug Bounty Terms.
To qualify for a reward under this Bug Bounty Program, you must:
In addition to the requirements above, you are not eligible for the Bug Bounty Program if:
If you are investigating bugs or vulnerabilities, please use test accounts. If you cannot reproduce an issue with a test account, you can use an account you are expressly authorized to use. You are not permitted to use or interact with any real account belonging to another person without the express written consent of the account owner.
The systems and products that are in-Scope are defined in the “Scope” tab in the HackerOne portal. Any other systems and vulnerabilities are out-of-scope, including the exclusions below in the section entitled “Non-qualifying vulnerabilities and exclusions.”
We will reward reports according to their severity on a case-by-case basis as determined by our security team, in their sole discretion. We may pay more for unique, hard-to-find bugs; we may also pay less for bugs with complex prerequisites that lower risk of exploitation. Our minimum reward is $250 USD.
We are particularly interested in the following categories of security bugs. Here are the typical payments for each:
| Severity | Vulnerability | Typical Payouts[1] |
|---|---|---|
| Critical | Server-Side Remote Code Execution (e.g. command injection) with significant impact to snapchat services or users | $35,000 |
| Remote Code Execution on Client (iOS/Android) | $25,000 | |
| High | Significant Authentication Bypass / Logic Flaw that allows mass exploitable account takeover | $15,000 |
| Insecure direct object reference (IDOR) that allows an attacker to discover another user’s friend list | $10,000 | |
| Medium | Unrestricted File System Access (Server-side) that discloses confidential information about our services | $5,000 |
| Low | XSS or XSRF With Significant Security Impact | $4,000 |
[1] Note that the figures listed reflect typical payouts for Snapchat's core applications and websites listed in the "In Scope" section below. Additionally, we always assess the security impact of a vulnerability on our users and their data before deciding on a Bounty. Bounties for non-core websites may vary and be lower than the typical payouts listed in this table. This depends on the nature of the non-core website and is subject to the discretion of the reward panel. For example, if a non-core website is going to be deprecated, a bug in this non-core website may be considered to be lower priority than a bug in our core applications or websites as listed above. This will be reflected in the bounty amount.
Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.
Additionally, the following reports do not qualify for a reward:
These Bug Bounty Terms supplement Snap’s Terms of Service (“Snap TOS”). The Snap TOS apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If there are any conflicts between the Snap TOS and these Bug Bounty Terms, the Bug Bounty Terms will control, but only with respect to Good Faith Security Research (as defined below) conducted by you while participating in the Bug Bounty Program. You are also required to comply with the HackerOne terms.
If you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.
We, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award—whether to give one and in what amount—is a decision that lies entirely within our discretion.
Finally, and needless to say, please do not violate any laws when conducting your tests.
If you inadvertently access another person's data or Snap data without authorization while investigating a bug, you must promptly cease any activity that might result in further access to such personal data or Snap data and notify Snap immediately. Your notice should include what information was accessed and how you obtained access. After sending the notice, you should immediately delete the personal data and/or Snap data from all of your systems. Continuing to access that data may demonstrate you are not conducting Good Faith Security Research, disqualify you from a reward, and disqualify you from any benefit of the Safe Harbor described below. You must also acknowledge the inadvertent data access in any related bug bounty report you may subsequently submit. You may not share or disclose any inadvertently accessed Snap data or personal data with anyone else.
Snap supports Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals and the public, and where the information derived from the activity is used to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
If you are engaging in Good Faith Security Research in compliance with these Bug Bounty Terms, Snap provides you authorization, including under the Computer Fraud and Abuse Act (CFAA), to test the security of the products and systems identified as in-scope in the “Scope” section, above. Good Faith Security Research does not include intentionally accessing Snap data or data from a Snap account without express consent, including (but not limited to) data relating to an identified or identifiable natural person (i.e., personal data).
If Snap determines in its sole discretion that your Good Faith Security Research complies in all respects with these Bug Bounty Terms, we will not report you to law enforcement or pursue a civil action against you, including actions under the CFAA or DMCA that involves circumventing the technological measures we have used to protect in scope products and services. This includes situations where you have engaged in accidental or good faith violations of these Bug Bounty Terms, as determined by Snap in its sole discretion.
To the extent activities authorized by these Bug Bounty Terms are inconsistent with the Snap TOS, we waive those restrictions solely to the extent necessary for the limited purpose of permitting Good Faith Security Research by you in accordance with these Bug Bounty Terms.
If someone brings legal action against you for Good Faith Security Research as part of this Bug Bounty Program, and Snap determines (in its sole discretion) that you have complied with these Bug Bounty Terms, we will endeavor to take steps to make it known, either to the public or a court, that your actions were authorized under this Bug Bounty Program.
CVE-2024-5436 - Type confusion in Snapchat LensCore could lead to denial of service or arbitrary code execution prior to iOS and Android versions 12.88.